Rookit.ZeroAccess Removal Help

Hello,

I've been having recurrent problems with Rootkit.ZeroAgent... I normally use RadialPoint as my main and only antivirus, but somehow it gets disabled and crashes after every restart.

So, I ran ComboFix, which tells me every time that I have been infected with Rootkit.ZeroAgent. Apparently, every time the malware does not get entirely removed because even though every thing seems to be running smoothly, the damn bug keeps coming back to life.

I should mention that I run RadialPoint right after ComboFix and everything seems alright.

This time, I landed on one of your pages and I ran the malware removal procedure as instructed, and got the attached logs.

By all means, your help will be greatly appreciated. I've had this XP desktop since 2001 and it has never been defeated by a virus/malware/etc. I hope to keep it that way.

 

Well, I forgot to upload the files... Sorry, it's kind of late and I've been at this for at least 7 hours. Here they are...

By the way, I haven't enabled any disk emulation software, and my desktop is full of semi-transparent icons, which I suppose are hidden files that are now showing. Still not sure how to proceed with this.

 

Welcome to MajorGeeks, SweetCitrus

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 19
• Uniblue DriverScanner
• Uniblue PowerSuite
• Uniblue RegistryBooster
• Uniblue SpeedUpMyPC

Fixing items using ComboFix
Make sure that ComboFix.exe is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:
Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

__

Now install the current version of Sun Java from: here

__


Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Hi Thisisu, thank you for the welcome and the prompt reply... Very much appreciated.

I did the steps you provided, and these are the files I got...

 

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Thank you Thisisu!

These are the OTL files... I got one extra one, which I attach just in case.

 

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.
Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know what problems remain after you have completed these steps.

 

Thanks again Thisisu!

I ran OTL again, but I forgot to save the file at the end, and the one that was on the desktop doesn't seem to be different than the one I posted earlier, so the board didn't let me upload it. The new Extras file is different though.

Here are the files...

 

It's OK I don't need the new OTL scan logs, only the fix log

Remember to let me know how the computer is running after you have completed the below steps.

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.
Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Hi Thisisu,

Ran the routines, and the computer is running fine so far. I don't detect anything worth mentioning. It's an old computer, so it's rather slow, but I'm used to that.

Thanks again for all your help.

 

This is the same fix log from before.

You did complete my last set of instructions through right?

__

 

As long as these are gone:
.. then you can complete the final steps below

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

I checked the files, and they were still there... So, I deleted them by hand. I hope this is okay.

 

Yes that's fine Be safe.

 

Thank you so much Thisisu!

 

Good day Thisisu!

I am very sorry to come back with a request like this, but I am currently looking for a job, and I would like to minimize my Internet footprint.

Could you please remove the attachments that contain my name? I'd greatly appreciate it...

Thanks.

 

Hi!

Yes it shouldn't be a problem except that I do not have the ability to do it myself. I will ask a moderator to take a look here to remove the attachments and my fixes which involved your name.

Best of luck job hunting!